package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import com.google.common.collect.Iterators;
import java.security.Principal;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.StreamSupport;
import javax.jcr.RepositoryException;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.iterator.RangeIteratorAdapter;
import org.apache.jackrabbit.oak.api.PropertyValue;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.PropertyValues;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.AutoMembershipConfig;
import org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/AutoMembershipProvider.class */
class AutoMembershipProvider implements DynamicMembershipProvider {
    private static final String BINDING_AUTHORIZABLE_IDS = "authorizableIds";
    private final Root root;
    private final UserManager userManager;
    private final NamePathMapper namePathMapper;
    private final AutoMembershipPrincipals autoMembershipPrincipals;
    private final AutoMembershipPrincipals groupAutoMembershipPrincipals;

    AutoMembershipProvider(@NotNull Root root, @NotNull UserManager userManager, @NotNull NamePathMapper namePathMapper, @NotNull Map<String, String[]> map, @Nullable Map<String, String[]> map2, @NotNull Map<String, AutoMembershipConfig> map3) {
        this.root = root;
        this.userManager = userManager;
        this.namePathMapper = namePathMapper;
        this.autoMembershipPrincipals = new AutoMembershipPrincipals(userManager, map, map3);
        this.groupAutoMembershipPrincipals = map2 == null ? null : new AutoMembershipPrincipals(userManager, map2, map3);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AutoMembershipProvider(@NotNull Root root, @NotNull UserManager userManager, @NotNull NamePathMapper namePathMapper, @NotNull SyncConfigTracker syncConfigTracker) {
        this(root, userManager, namePathMapper, syncConfigTracker.getAutoMembership(), syncConfigTracker.hasDynamicGroupsEnabled() ? syncConfigTracker.getGroupAutoMembership() : null, syncConfigTracker.getAutoMembershipConfig());
    }

    public boolean coversAllMembers(@NotNull Group group) {
        return false;
    }

    @NotNull
    public Iterator<Authorizable> getMembers(@NotNull Group group, boolean z) throws RepositoryException {
        ArrayList arrayList = new ArrayList();
        searchGlobalMembers(group, arrayList);
        arrayList.add(this.autoMembershipPrincipals.getMembersFromAutoMembershipConfig(group));
        return Iterators.concat(arrayList.iterator());
    }

    public boolean isMember(@NotNull Group group, @NotNull Authorizable authorizable, boolean z) throws RepositoryException {
        String idpName = DynamicGroupUtil.getIdpName(authorizable);
        if (idpName == null) {
            return false;
        }
        if (!authorizable.isGroup()) {
            return isMember(this.autoMembershipPrincipals, idpName, group, authorizable, z);
        }
        if (this.groupAutoMembershipPrincipals == null || group.getID().equals(authorizable.getID())) {
            return false;
        }
        return isMember(this.groupAutoMembershipPrincipals, idpName, group, authorizable, z);
    }

    private static boolean isMember(@NotNull AutoMembershipPrincipals autoMembershipPrincipals, @NotNull String str, @NotNull Group group, @NotNull Authorizable authorizable, boolean z) throws RepositoryException {
        return z ? autoMembershipPrincipals.isInheritedMember(str, group, authorizable) : autoMembershipPrincipals.isMember(str, group.getID(), authorizable);
    }

    @NotNull
    public Iterator<Group> getMembership(@NotNull Authorizable authorizable, boolean z) throws RepositoryException {
        String idpName = DynamicGroupUtil.getIdpName(authorizable);
        if (idpName == null) {
            return RangeIteratorAdapter.EMPTY;
        }
        return getGroupIterator((authorizable.isGroup() ? this.groupAutoMembershipPrincipals == null ? Collections.emptyMap() : this.groupAutoMembershipPrincipals.getAutoMembership(idpName, authorizable, false) : this.autoMembershipPrincipals.getAutoMembership(idpName, authorizable, false)).values(), z);
    }

    @NotNull
    private static Iterator<Group> getGroupIterator(@NotNull Collection<Group> collection, boolean z) {
        if (collection.isEmpty()) {
            return RangeIteratorAdapter.EMPTY;
        }
        RangeIteratorAdapter rangeIteratorAdapter = new RangeIteratorAdapter(collection);
        return !z ? rangeIteratorAdapter : new InheritedMembershipIterator(rangeIteratorAdapter);
    }

    private void searchGlobalMembers(@NotNull Group group, @NotNull List<Iterator<Authorizable>> list) throws RepositoryException {
        Principal principalOrNull = getPrincipalOrNull(group);
        if (principalOrNull == null) {
            return;
        }
        Set<String> configuredIdpNames = this.autoMembershipPrincipals.getConfiguredIdpNames(principalOrNull);
        Set<String> emptySet = Collections.emptySet();
        if (this.groupAutoMembershipPrincipals != null) {
            emptySet = this.groupAutoMembershipPrincipals.getConfiguredIdpNames(principalOrNull);
            configuredIdpNames.addAll(emptySet);
        }
        if (configuredIdpNames.isEmpty()) {
            return;
        }
        String str = emptySet.isEmpty() ? "rep:User" : "rep:Authorizable";
        Iterator<String> it = configuredIdpNames.iterator();
        while (it.hasNext()) {
            try {
                list.add(StreamSupport.stream(this.root.getQueryEngine().executeQuery("SELECT 'rep:authorizableId' FROM [" + str + "] WHERE PROPERTY([rep:externalId], 'String') LIKE $" + BINDING_AUTHORIZABLE_IDS + " /* oak-internal */", "JCR-SQL2", buildBinding(it.next()), this.namePathMapper.getSessionLocalMappings()).getRows().spliterator(), false).map(resultRow -> {
                    try {
                        return this.userManager.getAuthorizableByPath(this.namePathMapper.getJcrPath(resultRow.getPath()));
                    } catch (RepositoryException e) {
                        return null;
                    }
                }).filter((v0) -> {
                    return Objects.nonNull(v0);
                }).iterator());
            } catch (ParseException e) {
                throw new RepositoryException("Failed to retrieve members of auto-membership group " + group);
            }
        }
    }

    @Nullable
    private static Principal getPrincipalOrNull(@NotNull Group group) {
        try {
            return group.getPrincipal();
        } catch (RepositoryException e) {
            return null;
        }
    }

    @NotNull
    private static Map<String, ? extends PropertyValue> buildBinding(@NotNull String str) {
        return Collections.singletonMap(BINDING_AUTHORIZABLE_IDS, PropertyValues.newString("%;" + str.replace("%", "\\%").replace("_", "\\_")));
    }
}
